ESET is pleased to announce the detection of the widespread AceCryptor encryption malware. This threat has been spreading globally since 2016, with many attackers actively using it to distribute their own malware.
During 2021 and 2022, ESET telemetry recorded more than 240 thousand detections of this malware, which is more than 10 thousand per month. The threat is probably sold on the darknet or on underground forums. Many attackers use this encryptor to avoid detection by security solutions. In particular, the AceCryptor threat has used numerous ways to bypass detection over the years.
For cybercriminals, evading malware detection is a difficult task. Encryptors are the first layer of defense against detection for threats in the propagation phase. While attackers can create and maintain their own encryptors, it often takes time and technical capabilities to constantly improve the threat. Jakub Kalocz, ESET researcher, said:
“THAT’S WHY ENCRYPTORS AS A SERVICE ARE IN DEMAND.”
Among the malware families that used AceCryptor, one of the most common is RedLine Stealer. This threat is used to steal bank card credentials and other sensitive information, download files, and even steal cryptocurrency. RedLine Stealer was first detected in early 2022, and since then, attackers have started using AceCryptor and continue to do so.
“THUS, ACECRYPTOR’S DETECTION CAPABILITY HELPS US NOT ONLY TO DETECT NEW THREATS BUT ALSO TO TRACK THE ACTIONS OF CYBERCRIMINALS,” KALOCH EXPLAINS.
Due to its use by different cybercriminals, malware packaged with AceCryptor is spread in different ways. According to ESET’s telemetry data, these threats were spread mainly through malicious pirated software installers or spam emails with dangerous attachments. Another way of infection was through other threats that downloaded new malware packaged with AceCryptor.
Since the malware is used by many cybercriminals, any user can become a victim. Due to the diversity of such malware, it is difficult to assess the danger of the consequences for the victim. For example, a victim could open a dangerous email attachment and then have additional threats downloaded.
Although it is not possible to attribute AceCryptor to a specific group of cybercriminals at this time, ESET researchers believe that AceCryptor will continue to be widely used. More careful tracking will help identify new families of malware using this encryptor.
Due to the danger of attacks, ESET experts recommend following basic cybersecurity rules, including not opening unknown emails and documents, using complex passwords and two-factor authentication, keeping software up to date, and ensuring reliable protection of home devices and corporate networks.
